| From foo@baz Fri Jan 22 01:21:57 PM CET 2021 |
| From: Baptiste Lepers <baptiste.lepers@gmail.com> |
| Date: Tue, 12 Jan 2021 15:59:15 +0000 |
| Subject: rxrpc: Call state should be read with READ_ONCE() under some circumstances |
| |
| From: Baptiste Lepers <baptiste.lepers@gmail.com> |
| |
| [ Upstream commit a95d25dd7b94a5ba18246da09b4218f132fed60e ] |
| |
| The call state may be changed at any time by the data-ready routine in |
| response to received packets, so if the call state is to be read and acted |
| upon several times in a function, READ_ONCE() must be used unless the call |
| state lock is held. |
| |
| As it happens, we used READ_ONCE() to read the state a few lines above the |
| unmarked read in rxrpc_input_data(), so use that value rather than |
| re-reading it. |
| |
| Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") |
| Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Link: https://lore.kernel.org/r/161046715522.2450566.488819910256264150.stgit@warthog.procyon.org.uk |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/rxrpc/input.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/rxrpc/input.c |
| +++ b/net/rxrpc/input.c |
| @@ -446,7 +446,7 @@ static void rxrpc_input_data(struct rxrp |
| if (state >= RXRPC_CALL_COMPLETE) |
| return; |
| |
| - if (call->state == RXRPC_CALL_SERVER_RECV_REQUEST) { |
| + if (state == RXRPC_CALL_SERVER_RECV_REQUEST) { |
| unsigned long timo = READ_ONCE(call->next_req_timo); |
| unsigned long now, expect_req_by; |
| |